Journal de Th´eorie des Nombres
de Bordeaux 18 (2006), 559–572

A Terr algorithm for computations in the
infrastructure of real-quadratic number fields
par Johannes BUCHMANN et Ulrich VOLLMER
Dedicated to Michael Pohst on the occasion of his 60th birthday.

´sume
´. Nous montrons comment adapter la variante due `a Terr
Re
de l’algorithme “baby-step giant-step” de Shanks pour le calcul
du r´egulateur et des g´en´erateurs des id´eaux principaux des corps
quadratiques r´eels. La complexit´e du pire cas de l’algorithme
obtenu d´epend uniquement de la racine carr´ee du r´egulateur, et
est plus petite que toutes celles des algorithmes inconditionnels et
d´eterministes connus pr´ec´edemment pour ce probl`eme.
Abstract. We show how to adapt Terr’s variant of the baby-step
giant-step algorithm of Shanks to the computation of the regulator and of generators of principal ideals in real-quadratic number
fields. The worst case complexity of the resulting algorithm depends only on the square root of the regulator, and is smaller than
that of all other previously specified unconditional deterministic

algorithm for this task.

1. Introduction
The baby-step giant-step idea goes back to Shanks, see [Sha71]. It can
be applied to group order and discrete logarithm computations in general
groups. Shanks basic goal, however, was to apply it to computations in
class groups and the infrastructure of quadratic number fields, the latter
also having been a discovery he made. His original algorithms assume the
knowledge of an upper bound B for the group order, or the regulator,
√
respectively. Their complexity (in terms of group operations) is in O( B).
The algorithms can be adapted to the case were no such bound is known, by
taking an arbitrary small bound and squaring (or, respectively, doubling)
it in case of a failure of the algorithm, cf. e.g. [BW88] and [BJT97].
More elegant is another variant of the baby-step giant-step algorithm
given by Terr for the element order problem in [Ter00]. Its basic idea is
not to compute all baby-steps at once, but to alternate baby- and giantsteps. The length of each giant-step equals the current size of the baby-step
Manuscrit re¸cu le 31 d´
ecembre 2005.

560

Johannes Buchmann, Ulrich Vollmer

table. Hence, the length of the path covered by all giant-steps together
grows quadratically. Thus, the algorithm has complexity proportional to
the square root of the order of the element. Space and time requirements
do not depend as strongly on the instance as is the case for the squaring
technique. The latter may compute close to double the minimally necessary
number of√baby-steps, while the cost of the former is increased by a constant
factor of 2, both in comparison to a run of the original baby-step giantstep algorithm with a good known bound B. The complexity advantage
of the Terr variant is largest when the first bound B used in the doubling
approach is very small and in the penultimate round the giant steps just
barely fail to hit the baby-step table causing an unnecessary large number
of baby-steps elements to be computed.
Here we show how to translate Terr’s idea to the second domain it was
intended for: computations in the infrastructure of a real-quadratic order. The resulting algorithm computes the fundamental unit ε of such
an order O
√ with discriminant ∆ and regulator R = log ε in time
O((log ∆ + R)(log ∆)2 ) = |∆|1/4+o(1) . An extension can be used to decide

equivalence of O-ideals and to calculate generators of principal O-ideals.
If the input ideals are reduced, then the equivalence algorithm admits the
same running time bound as the regulator algorithm.
In sections 2 and 3 we will introduce basic notions from the theory of
quadratic number fields as well as the infrastructure in the set of reduced
principal ideals of real-quadratic fields. More background on this topic can
be found in [Len82] and [BV07]. For a generalization in the framework of
Arakelov theory to number fields of higher degree, see [Sch04]. In section 4
we give an outline of the regulator algorithm. Details are provided in section
5 and 6 including an example for the quadratic order with ∆ = 2521. The
analysis of the regulator algorithm is given in section 7. Throughout we
have made an effort to present our algorithms in such a fashion that all
operations can be performed exactly. Finally, section 8 is devoted to the
extension of the regulator algorithm to the computation of generators of
principal ideals, extended discrete logarithms and the structure of the class
group of the order.
2. Infrastructure
Let O be a real quadratic order, let ∆ be the discriminant of O, and
let R be the regulator of O. We let F be the field of fractions of O, and
σ be the non-trivial automorphism of F . By I we denote the group of

fractional invertible O-ideals and by P the group of principal fractional
O-ideals. Also, ε is the fundamental unit of O.
The set I can be endowed with a topology using the following notion of
length for elements in F ∗ .

A Terr algorithm

561

Definition 2.1. For α ∈ F ∗ we set Log α = log |σ(α)/α|.
Indeed, it is easy to show that this length map is homomorphic and the
image of the group of units of O is RZ.
Proposition 2.2. (1) The map F ∗ → R, α 7→ Log α is a homomorphism
of the multiplicative group F ∗ into√the additive group R. The kernel
of that homomorphism is Q∗ ∪ Q∗ ∆.
(2) If η is a unit in O, then Log η = − log |η|. In particular, we have
Log ε = −R.
(3) For any α ∈ F ∗ we have Log α = − Log σ(α).

In consequence, we may pull-back the natural topology on R/RZ to P

by using the following map.
Proposition 2.3. The map
(1)

d : P → R/RZ,

αO 7→ Log α + RZ

is a well defined homomorphism of the multiplicative group P into the additive group R/RZ.
Proof. We show that the map is well defined. Let α, β ∈ F ∗ with αO = βO.
Then α/β is a unit in O. Hence α/β is a power of the fundamental unit ε
of O, and Log α/β = Log α − Log β is an integer multiple of the regulator
R.
By Proposition 2.2 the map is a homomorphism.

From Proposition 2.2 it is also clear that in the topology we introduced
∗
ideals in the same orbit under the
√ natural operation of Q on P are inseparable, as are any pairs a and ∆ · a. For the definition of the correct
topological group that embeds into the circle group, see [Len82].

The topology can be extended to all of I by fixing for any non-principal
equivalence classes C in I some ideal a ∈ C, and using the map
d(a, ·) : C → R/RZ : b 7→ d(ba−1 ).
Definition 2.4. Let a and b be equivalent O-ideals. Then we call d(a, b)
the distance from a to b.
3. Cycles of reduced O-ideals
Any fractional O-ideal a can be written in standard representation as
√ !
b+ ∆
(2)
a = q Za + Z
2

Johannes Buchmann, Ulrich Vollmer

562

with a positive rational number q and integers (a, b) such that gcd(a, b,
(b2 − ∆)/(4a)) = 1, and
√

−a < b ≤ a if a ≥ ∆ , or
√

∆ − 2a < b <

√

∆

if

a<

√

∆ .

A fractional ideal is called reduced if it does not contain a number α for
which both |α| and |σ(α)| is smaller than the smallest positive number in
a ∩ Z. In terms of the standard representation (2) this means that q = 1,

and
√
√
| ∆ − a| < b < ∆.
As can be seen from this condition, the set of all reduced O-ideals R∆ is
finite. We have an injective map
d(O, ·) : R∆ ∩ P −→ R/RZ : a 7−→ d(O, a).
The image of this map for the case that O has discriminant 1001 is depicted
in Figure 1. Here, ideals in standard representation (2) are denoted by
(a, b).

O1001

√

Log( −31+2

(10, 31)

1001

)

(10, 29)

(4, 29)

(4, 27)

(17, 27)

(17, 7)
(14, 21)

(14, 7)
(10, 21)
(16, 19) (16, 13)
(13, 13)

(10, 19)

Figure 1. Embedding the principle cycle of O1001 into R/RZ

A Terr algorithm

563

Definition 3.1. For any fractional ideal a we let γ(a) denote the number
of minimal positive length in F ∗ such that
ρ(a) = γ(a)a
is reduced. The number γ(a) is called the reducing number of a.
For any equivalence class C, the map ρ permutes R∆ ∩ C. This set is
called the cycle of reduced ideals in C. For the principal class the cycle is
called the principal cycle. Let a0 = a be reduced and set
ai+1 = ρ(ai ),

a−i−1 = ρ−1 (a−i ),

i ≥ 0.

Moreover, we define the reducing numbers
γi = γ(ai ) =

−2ci
√ ,
bi + ∆

i∈Z .

There are easily proved upper and lower bounds on the length of γi and a
lower bound for the product of two consecutive reducing numbers. For a
proof, see [Len82].
√
Lemma 3.2. (1) 1/ ∆ < Log γi < 21 log ∆, i ∈ Z.
(2) Log γi + Log γi+1 > log 2, i ∈ Z.

Corollary 3.3. For any fractional ideal a we have 0 < γ(a) <

1
2

log ∆.



Lemma 3.4. There is an algorithm that computes for any given fractional
ideal a both ρ(a) and γ(a) in quadratic time.
Proof. In [BB99], it is shown that the classical reduction algorithm of Gauss
can be executed in quadratic time. This yields reduced ideal ρ0 (a) and
relative generator γ0 (a). In [Len82], Lenstra notes (albeit without explicit
proof) that ρ(a) can be obtained from ρ0 (a) by no more than two reduction
steps.

4. Outline of the algorithm
Embedding the set of reduced principal ideals into the circle R/RZ of
circumference R is similar to embedding a cyclic group of order n into the
circle R/nZ of circumference n. (Cf. Figure 1.) While two neighboring
group elements on the second circle have
√ a fixed distance of 1, two reduced
ideals have a distance of at least 1/ ∆ and at most 12 log ∆ (see Lemma
3.2). This indicates computing the regulator is similar to computing the
order of a cyclic group. Also, computing the logarithm of a generator of a
reduced ideal is like computing the discrete logarithm of a group element.
In this section we will use those analogies to develop an algorithm for
computing the regulator R and for solving the equivalence problem.

Johannes Buchmann, Ulrich Vollmer

564

The situation is the following. We are given reduced O-ideals a and b.
The goal is to decide whether or not a and b are equivalent. Also, if a and
b are equivalent, then we want to find λ ∈ F with
b = λa,

0 < Log λ ≤ R.

In order to obtain the regulator, we will choose a = b = O.
The algorithm uses two sequences of reduced O-ideals. The first sequence
a0 , a1 , . . . starts at
a0 = a
and is defined by
ai+1 = ρ(ai ), i ≥ 0.
It is called the baby-step sequence because the distance between two consecutive elements of the sequence is very small, cf. Lemma 3.2. Set
αi =

i−1
Y

γi ,

i≥0

j=0

with γi from Section 3. Then

ai = αi a,
Also, it follows from Lemma 3.2 that

i ≥ 0.

Log αi+1 > Log αi > 0
(3)
and
(4)

Log αi+2 ≥ Log αi + log 2,

i ≥ 0,
i ≥ 0,

lim Log αi = ∞.

i→∞

Initially, the baby-step sequence is calculated until L ≥ 0 is found with
1
(5)
Log α2(L+1) ≥ log ∆.
2
Define
(6)

si = Log α2(L+i)

The second sequence b0 , b1 , . . . starts at

i ≥ 1.

b0 = b.
It is called the giant-step sequence since the distances between the consecutive elements of that sequence become larger and larger. More precisely,
the algorithm determines positive numbers δi ∈ F such that
bi = (δi /α2(L+i) )bi−1 ,

is reduced. If
βi = δi /α2(L+i) ,

i≥1

i≥1

A Terr algorithm

565

then we require
1
log ∆ < − Log βi ≤ si , i ≥ 1.
2
The algorithm is based on the following proposition.

(7)

si −

Proposition 4.1. Assume that a and b are equivalent. Then the following
are true.
(1) There are e, f such that e ≥ 0 and
(8)

be = a f ,

f ∈ {1, . . . , 2(e + L + 1)}.

(2) If (e, f ) is the lexicographically smallest pair that satisfies (8), then
for
(9)

λ = αf /

e
Y

βi

i=1

we have b = λa and
(10)

0 < Log λ ≤ R.
Also,

(11)

e < ⌈E∆ ⌉
where
E∆ = log2 ∆ +

p

2R/ log 2.

(3) If a = b = O and e, f , and λ are as in 2., then Log λ = R and the
fundamental unit of O is 1/λ.
For e = 1, 2, . . . the algorithm calculates the baby-step sequence
(ai )1≤i≤2(e+L+1) and the giant-step be . If a match (8) is found, then the
equivalence of a and b is proved and with λ from (9) we have b = λa and
0 < Log λ ≤ R.
Note that
(12)

λ=

fY
−1
i=0

γi ·

2L+1
Y
i=0

γie ·

e−1
Y
i=1

(γ2(L+i) γ2(L+i)+1 )e−i ·

e
Y

δi−1 .

i=1

Since γi = γ(ai ) can be determined easily from ai , it suffices to store ai ,
1 ≤ i ≤ max{f, 2(e + L)}, and δi , 1 ≤ i ≤ e in order to compute the power
product representation of λ in (12). This will actually be the representation
of λ output by our algorithm.
If for no e < ⌈E∆ ⌉ a match (8) is found, then it is established that a
and b are not equivalent.
It follows from (11) that e and f are of the order
√
of magnitude 2R = ∆1/4+o(1) . We will see that the running time of the
algorithm is of the same order of magnitude.

Johannes Buchmann, Ulrich Vollmer

566

We prove Proposition 4.1. Choose positive λ ∈ F with
b = λa

and
(13)
Define

0 < Log λ ≤ R.
λk = λ

k
Y

βi ,

i=1

Then

k ≥ 0.

bk = λk a, k ≥ 0.
To show 1. we prove the following result.
Lemma 4.2. There is some k ≥ 0 with Log λk ≤ sk+1 . Also, if e is the
smallest such k, then Log λe > 0.
Proof. It follows from (7), the definition of si in (6), and (4) that
lim Log βi = −∞.

i→∞

This proves the existence of k. Let e be the smallest such k. Assume that
Log λe ≤ 0. Then Log λe−1 = Log λe − Log βe ≤ se by (7). This contradicts
the minimality of e.

Proof of 1. Let e be as in Lemma 4.2. Then Lemma 4.2 and (13) imply
0 < Log λe ≤ R.
Let f be the smallest positive index such that be = af . Note that f exists
since be is reduced and sits on the cycle {ai } of reduced ideals in the class of
a. Then 0 < Log αf ≤ R. It follows that Log αf = Log λe ≤ Log α2(e+L+1) .
Hence we also have 0 < f ≤ 2(e + L + 1).
This concludes the proof of 1.
Proof of 2. Let (e, f ) be the lexicographically smallest pair that satisfies
(8). Let e′ be the value of e in Lemma 4.2. Then the proof of 1. shows that
(14)
and we have
(15)

e ≤ e′

0 < Log αf = Log λe + kR
P
for some integer k. Now Log λe = Log λ+ ei=1 Log βi ≤ R since Log λ ≤ R
and Log βi < 0 by (7) and (5). Hence, (15) implies k ≥ 0 and Log αf ≥
Log λe . Since f ≤ 2(e + L + 1), it follows that se+1 = Log α2(e+L+1) ≥
Log λe . This implies e ≥ e′ . Together with (14) we have e = e′ and Log λe >
0 by Lemma
P 4.2. The minimality of f implies k = 0. HenceQLog λ =
Log αf − ei=1 Log βi . Indeed, Proposition 2.2 implies λ = αf / ei=1 βi so

A Terr algorithm

567

that λ chosen at the beginning of the proof coincides with the one defined
in the Proposition and (10) holds.
We prove the upper bound on e. Set E = ⌈E∆ ⌉. Then (7) and Lemma 3.2
imply
log λE = Log λ +

E
X

Log βi

i=1

≤ Log λ −

E
X
i=1

(Log α2(L+i) −

1
log ∆)
2

E(E + 1)
log 2.
2
Now we have E(E + 1)/2 · log 2 > E 2 /2 · log 2 > E/2 · log ∆ + R. Hence,
λE < 0. Since Log λe > 0 by Lemma 4.2 it follows that e < E.
≤ Log λ + (E/2) log ∆ −

Proof of 3. Let a = b = O. Let λ be the number defined in 2. Then
O = λO. So λ is a unit in O. Also 0 < Log λ ≤ R. Finally, all factors of
λ given in (12) are positive, hence so is λ. Proposition 2.2 then says that
1/λ is the fundamental unit, as desired.
5. Construction of the the giant-steps
We explain how a giant-step is computed. We let b0 = b. For some e ≥ 0
we are given the giant-step ideal be and the baby-step ideal a2(L+e+1) . We
compute
be+1 ← ρ(be a−1
2(L+e+1) ),

δe+1 ← γ(be a−1
2(L+e+1) ).

Note that this computation only involves one ideal multiplication and one
reduction of an ideal with norm bounded by ∆. Then
βe+1 = δe+1 /α2(L+e+1) .
That number is not stored explicitely, as this is too space consuming. It
suffices to store δe+1 .
Lemma 5.1. We have se+1 − 21 log δ < − Log βe+1 ≤ se+1 .
Proof. By construction we have − Log βe+1 = se+1 − Log δe+1 . Since
− 12 log ∆ < − Log δe+1 ≤ 0 by Corollary 3.3, we have se+1 − 12 log ∆ <
Log βe+1 ≤ se+1 as asserted.

6. The complete algorithm
We now present the algorithms for computing the fundamental unit of
O and for deciding equivalence between two O-ideals. For the first, called
TerrUnit, see Algorithm 1 on the following page. The second, called TerrEquivalent, is obtained from the first by (1) initializing a0 and b0 with the

568

Johannes Buchmann, Ulrich Vollmer

Algorithm 1 TerrUnit(O)
Input: The order O
Output: a1 , . . . , a2(e+L) , δ1 , . . . , δe , f such that
λ from (12) is the fundamental unit of O
Initial Baby-steps a0 ← O, L ← −1
repeat
L ← L + 1, a2L+1 ← ρ(a2L ), a2L+2 ← ρ(a2L+1 )
until Log α2L+2 > 21 log ∆
if O = af for some 1 < f ≤ 2(L + 1) then
return a1 , . . . , af , f
e ← 0, b0 ← O
loop
Giant Step
c ← be a−1
2(L+e+1) , (be+1 , δe+1 ) ← (ρ(c), γ(c)), e ← e + 1
Baby Steps
a2L+2e+1 ← ρ(a2L+2e ), a2L+2e+2 ← ρ(a2L+2e )
Table look-up
if be = af for some f ≤ 2(L + e + 1) then
return a1 , . . . , a2(e+L+1) , δ1 , . . . , δe , f

given ideals, and (2) terminating the loop once e > E∆ . In those algorithms
the baby-step ideals ai , i ≥ 1, are stored in a hash table. Then deciding
whether a given reduced O-ideal is in that table takes time O(log ∆).
Note that TerrEquivalent presumes that an approximation to the regulator has been computed in advance. This is only used to obtain an integer
close to and larger than E∆ . (The rounding in the calculation of E need
not be exact.) The pre-computation of R can be avoided by computing
two giant step sequences one beginning at b and one at a and terminating
with result nil when there is a match of the second one with the baby step
table.
Example 6.1. Table 6.1 lists the ideals computed in the course of the execution of √
TerrUnit for ∆ = 2521. Ideals in standard representation
aZ + Z(b + ∆)/2 are listed as
√ (a, b). Distances given are distances to the
unit ideal O. We set ω = (1+ ∆)/2. Finally, note that 1/2·log ∆ ≈ 3.916.
The table shows that a11 = b6 (connected by an arrow). Using (12) the
data in the table yields the fundamental unit. We obtain R ≈ 85.768.

A Terr algorithm

L e
0

i
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

ai distance

be distance

569

δe

(30, 11)
(20, 29)
(21, 13)
(28, 43)
( 6, 41)
(35, 29)
(12, 43)
(14, 41)
(15, 49)
( 2, 47)
(39, 31)
(10, 49)
( 3, 47)
(26, 5)
(24, 43)
( 7, 41)

2.203
2.426
1
3.085
3.350
2
4.630
5.776
1
6.435 (35,41) −5.776
35
7.715
2
8.861 (10,31) −13.491
2
11.065
3
12.770 ( 5,41) −24.555
1
13.491
4
15.694 (12,37) −37.833
1 − ω/5
17.400
5
17.500 ( 9,35) −54.379
6 − ω/6
18.779
6
(39,31) −72.998 (−7 + 2ω)/9
Table 1. Baby-step ideals ai and giant-step ideals be computed by TerrUnit for ∆ = 2521

7. Analysis of the algorithm
Proposition 7.1. Algorithms
TerrUnit and TerrEquivalent require time
√
and space O((log ∆ + R)(log ∆)2 ).
Proof. It follows from (3) that L = O(log ∆). Also, it follows from Proposition 4.1 that Algorithms TerrUnit and TerrEquivalent
both terminate
√
with the correct output and e = O(log ∆ + R).
In each iteration of the precomputation, the algorithms apply the reduction operator twice to reduced O-ideals. That application has running
time O((log ∆)2 ). In each iteration of the main loop, both algorithms apply ρ once to the quotient of two reduced O-ideals and at most twice to
two reduced O-ideals. By Lemma 3.4 each application of ρ takes time
O((log ∆)2 ). This proves the running√
time estimate.
Both algorithms store O(log ∆ + R) reduced O-ideals and numbers
δi . The size of a reduced O-ideal is O(log ∆), and by Lemma 3.4 each δi
requires space O((log ∆)2 ). This implies the space estimate.


570

Johannes Buchmann, Ulrich Vollmer

8. Computing discrete logarithms and the class group
In this section, we briefly touch upon the problems of computing discrete
logarithms in the class group of a real-quadratic field, and of computing
the class group itself.
Extended Discrete Logarithm Problem. Given two ideals a and b, find
n ∈ Z and α ∈ F such that
a = α · bn .
This problem is most conveniently solved by combining Terr’s original
DL algorithm with the classical baby-step giant-step algorithm in the infrastructure.
More precisely, we let ak , bk , and ck be defined recursively as follows:
a0 = O,

ak = γa,k · ak−1 /b = ρ(ak−1 /b),

bk = γb,k · ck /a

c0 = O,

= ρ(ck /a),

ck = γc,k · ck−1 /ak = ρ(ck−1 /ak ).

Obviously, the ideals ak , bk are reduced, and ak ∼ b−k , and bk ∼ b
More precisely,
ak =

k
Y
i=1

ck =

i=1

/a.

γa,i · b−k ,

bk = γb,k ·
k
Y

k(k+1)
2

k
Y
i=1

−k+i−1
γc,i γa,i
· bk(k+1)/2 /a,

−k+i−1
γc,i γa,i
· bk(k+1)/2 .

We compute baby-step sequences starting at ak , and giant-step sequences
starting at bk and ck . All baby-step sequences have the same number of
elements (or same approximate length) which is derived from the output of
a previous run of TerrUnit. Regarding the giant-steps, care has to be taken
that they are shorter than the shortest sequence of baby-steps computed
before.
Once the algorithm finds a match, i.e. the current giant-step ideal occurs
in the baby-step table, it has found indices k ≤ l such that ak ∼ bl , or
ak ∼ cl , respectively. In the first case, n = l(l + 1)/2 + k is
the sought
exponent. In the second case n equals the order of [b], and [a] 6∈ [b] . Once
the exponent is found, it is easy to compute the generator of a relative to
bn on the basis of the data computed so far.
√
√
The complexity of the algorithm is bounded by O( n(log ∆ + R) ·
(log ∆)2+ǫ ). It can be re-arranged in such a manner that no approximations

A Terr algorithm

571

of real numbers need to be computed and the ǫ can be dropped from the
exponent. Details can be found in [Vol03].
In [BS05], Buchmann and Schmidt have explained how to compute the
structure of a finite Abelian group from generators and relations. That
algorithm cannot be immediately used in the context of real quadratic
class groups since deciding equality of real quadratic ideal classes is more
difficult. Moreover, the algorithm presumes that we have a generating set
for the group available. Finding such a generating set for the class group
of a number field is difficult unless one assumes an Extended Riemann
Hypothesis. If one does assume this hypothesis, then one can use the
Bach bounds [Bac90] to obtain a generating set of quadratic size. Using
this generating set and adapting Buchmann and Schmidt’s algorithm the
same way we adapted Terr’s Discrete Logarithm algorithm we can easily
construct a deterministic class group algorithm for real quadratic orders
that runs in time ∆1/4+o(1) .
References
[Bac90] Eric Bach, Explicit bounds for primality testing and related problems. Mathematics of
Computation 55 (1990), no. 191, 355–380.
[BB99] Ingrid Biehl, Johannes Buchmann, An analysis of the reduction algorithms for binary
quadratic forms. In Peter Engel and Halyna M. Syta, editors, Voronoi’s Impact on
Modern Science, Kyiv, Ukraine 1998, pages 71–98. National Academy of Sciences of
Ukraine, 1999.
[BJT97] Johannes Buchmann, Michael J. Jacobson, Jr., Edlyn Teske, On some computational problems in finite abelian groups. Math. Comp. 66 (1997), no. 220, 1663–1687.
[BS05] Johannes Buchmann, Arthur Schmidt, Computing the structure of a finite abelian
group. Mathematics of Computation 74 (2005), no. 252, 2017–2026.
[BV07] Johannes Buchmann, Ulrich Vollmer Binary Quadratic Forms – An Algorithmic
Approach. Algorithms and Computation in Mathematics, vol. 20. Springer 2007.
[BW88] Johannes Buchmann, Hugh C. Williams, On the infrastructure of the principal ideal
class of an algebraic number field of unit rank one. Math. Comp. 50 (1988), no. 182,
569–579.
[Len82] Hendrik W. Lenstra, Jr., On the calculation of regulators and class numbers of quadratic fields. In J. V. Armitage, editor, Journees Arithmetiques, Exeter 1980, London
Mathematical Society Lecture Notes Series, vol. 56, pages 123–150. Cambridge University Press, 1982.
´ Schoof, Computing Arakelov class groups. http://axp.mat.uniroma2.it/
[Sch04] Rene
∼schoof/infranew2.pdf, October 2004.
[Sha71] Daniel Shanks, Class number, a theory of factorization, and genera. In 1969
Number Theory Institute (Proc. Sympos. Pure Math., Vol. XX, State Univ. New York,
Stony Brook, N.Y., 1969), pages 415–440. Amer. Math. Soc., Providence, R.I., 1971.
[Ter00] David C. Terr A modification of Shanks’ baby-step giant-step algorithm. Mathematics
of Computation 69 (2000), no. 230, 767–773.
[Vol03] Ulrich Vollmer, Rigorously Analyzed Algorithms for the Discrete Logarithm Problem
in Quadratic Number Fields. PhD thesis, Technische Universit¨
at Darmstadt, Fachbereich Informatik, 2003.

572

Johannes Buchmann, Ulrich Vollmer

Johannes Buchmann and Ulrich Vollmer
Technische Universit¨
at Darmstadt
Department of Computer Science
Hochschulstr. 10, 64289 Darmstadt, Germany
E-mail : {buchmann,uvollmer}@cdc.informatik.tu-darmstadt.de